Stryker hackers allegedly wiped tens of thousands of devices without using any malware

• Handala hackers hit Stryker via compromised Intune admin
• Tens of thousands of devices wiped, but no data theft confirmed
• Medical products remain safe; order systems offline and manual only

When cybercriminals struck Stryker last week and wiped tens of thousands of electronic devices, they did so without using any malware. Instead, they used Intune, Microsoft’s cloud-based endpoint management service, sources are saying.

Last week, a hacking collective calling itself Handala (AKA HAtef, Hamsa) said they broke into Stryker, a Fortune 500 healthcare company with tens of billions in annual sales. They claimed to have stolen 50 terabytes of data and wiped “tens of thousands of systems and servers across the company’s network.”

“In this operation, over 200,000 systems, servers, and mobile devices have been wiped, and 50 terabytes of critical data have been extracted,” the attackers allegedly said at the time. “Stryker’s offices in 79 countries have been forced to shut down.”

Article continues below

Abusing Intune

Stryker soon confirmed the reports with an 8-K filing. Multiple employees also confirmed their electronic devices were wiped overnight.

Then, a “source familiar with the attack” told BleepingComputer that Handala managed to compromise an Intune admin account and used it to create a new Global Administrator account. With the master account, they initiated the wipe command, erasing data from almost 80,000 devices in a matter of hours. The investigators have also disputed Handala’s claims of data exfiltration, saying they found no evidence that any data was removed whatsoever.

In a subsequent update, Stryker said its medical devices are safe to use, but electronic order systems are offline, meaning customers can only place orders manually, through sales representatives.

“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company said. “This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise.”

Although unconfirmed, reports are saying Handala are “hacktivists linked to Iran’s Ministry of Intelligence and Security”, targeting mostly Israeli organizations around the world.

Via BleepingComputer

The best antivirus for all budgets

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.